315
A complete IKEv2 proposal must have at least one set of security parameters, including one
encryption algorithm, one integrity protection algorithm, one PRF algorithm, and one DH group.
You can specify multiple IKEv2 proposals for an IKEv2 policy. A proposal specified earlier has a
higher priority.
To configure an IKEv2 proposal:
1. Enter system view.
system-view
N/A
2. Create an IKEv2 proposal
and enter IKEv2 proposal
view.
ikev2 proposal
proposal-name
By default, an IKEv2 proposal
named
default
exists.
In non-FIPS mode, the default
proposal uses the following settings:
• Encryption algorithms
AES-CBC-128 and 3DES.
• Integrity protection algorithms
HMAC-SHA1 and HMAC-MD5.
• PRF algorithms HMAC-SHA1
and HMAC-MD5.
• DH groups 2 and 5.
In FIPS mode, the default proposal
uses the following settings:
• Encryption algorithms
AES-CBC-
AES-CTR-128.
• Integrity protection algorithms
HMAC-SHA1 and
HMAC-SHA256.
• PRF algorithms HMAC-SHA1
and HMAC-SHA256.
• DH groups 14 and 19.
3.
algorithms.
In non-FIPS mode:
encryption
{
3des-cbc
|
aes-cbc-128
|
aes-cbc-192
|
aes-cbc-256
|
aes-ctr-128
|
aes-ctr-192
|
aes-ctr-256
|
camellia-cbc-128
|
camellia-cbc-192
|
camellia-cbc-256
|
des-cbc
} *
In FIPS mode:
encryption
{
aes-cbc-128
|
aes-cbc-192
|
aes-cbc-256
|
aes-ctr-128
|
aes-ctr-192
|
} *
By default, an IKEv2 proposal does
not have any encryption algorithms.
4. Specify the integrity
protection algorithms.
In non-FIPS mode:
integrity
{
aes-xcbc-mac
|
md5
|
sha1
|
sha256
|
sha384
|
sha512
}
*
In FIPS mode:
integrity
{
sha1
|
sha256
|
sha384
|
} *
By default, an IKEv2 proposal does
not have any integrity protection
algorithms.
5.
algorithms.
In non-FIPS mode:
prf
{
aes-xcbc-mac
|
md5
|
sha1
|
sha256
|
sha384
|
sha512
} *
By default, an IKEv2 proposal uses
the integrity protection algorithms as
the PRF algorithms.
To Next Page
Loading...
Need help?
General